Security researchers have responded to recent denial of service attacks against gaming websites and service providers that rely on insecure Network Time Protocol servers by drawing up a list of vulnerable systems.
Network Time Protocol (NTP) offers a means of synchronising clocks over a computer network. Features of the simple UDP-based protocol mean it is possible to abuse it to return a large reply to a small request.
The technique was used to take down Battle.net, League of Legends, Steam and other gaming sites in late December for reasons that still remain unclear, weeks later.
Symantec recorded a "significant spike in NTP reflection attacks" in general over the Christmas season.
DNS-based reflection and amplification attacks were used in high volume attacks against Spamhaus and others in 2013. "NTP-based attacks use similar techniques, just a different protocol," CloudFlare, the web security firm that helped Spamhaus mitigate last year's packet flood, explains.
The message to web admins and ISPs in both cases is clear: fix your servers and prevent them from participating in amplification attacks. Resolving misconfiguration problems in either case is straightforward and shouldn't take more than a few minutes. In the case of open DNS resolvers the fix involves configuration changes, while open NTP servers can be taken out of the pool of systems open to abuse by cybercrooks through either patching or disabling an abusable service.
Publicly accessible NTP servers can be abused to swamp a target system with UDP traffic. An attacker would send a series of "get monlist" requests to a vulnerable NTP server, with the source address spoofed to be the victim’s.
US-CERT advises sys admins to either disable the monlist functionality within the NTP server or to upgrade to the latest version of the technology (NTP 4.2.7), which doesn't automatically enable the problematic monlist service. A small query can redirect megabytes of traffic, security experts at the SANS Institute's Internet Storm Centre warn.
The Open NTP Project is a useful resource in helping to identify vulnerable systems because it allows sysadmins to use external IP addresses to search through a ready-compiled database of affected machines, as explained in a blog post by cloud security firm Qualys here. ®